Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Alkalidum

Posted 20 August 2015 - 02:42 PM

Alkalidum

Member

Member

64 posts

Hi there,

I've got some malware on my PC that keeps reinstalling itself, ive removed them all and they just keep coming back! Programs like GamesDesktop, WordSurfer, Smartweb, Flashbeat, CinemaPlus, Ive ran a scan with Avast, and also ran AdwCleaner but Avast found nothing and the cleaner removed some stuff but they still come back. Its also opening random webpages and just opened a video advert which i couldn't close. I've been removing them in control panel 'Uninstall or change a program'. It also appears to be changing my personal settings on startup, My Avast antivirus has been going crazy with reports of blocked files, this is the most recent one:

Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:

Advertisements

pystryker

Posted 20 August 2015 - 07:10 PM

Hello and welcome to Geeks To Go! My nickname is Pystryker , and I will be helping you with your issue today.

Before we get started, I have a few things I need to go over with you

If you are receiving help for this issue at another forum, please let me know so I can close this thread.

Please download to and run all requested tools from your Desktop.

Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.

At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.

If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.

Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.

Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.

It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.

If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.

If you are unsure of an instruction I give you, or if something unexpected occurs, Do NOT proceed!Stop and ask for clarification of the instruction or tell me what occurred.

Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.

Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future

Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way.

Now, let's get started, shall we?

Hello, let's start showing your unwelcome guests the door.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.

Step 1: P2P Warning and Program Uninstalls

The Dangers of P2P Programs

I noticed that you have a P2P file sharing program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more likely than not infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

There are also new infections out there such as CryptoWall 3.0 and CryptoLocker. When infected with these, all of your personal files on any drive connected to your computer will be affected. These infections copy all your files, encrypt them, and then delete the originals, leaving you with the encrypted copies. You are then presented with a screen telling you you have a certain amount of time to pay the ransom for the decryption code to decrypt your files. Even if you pay the ransom, there decryption process usually results in corrupt and unusable files.

There is nothing we can do to decrypt the files, as they use very sophisticated encryption techniques. Please consider this when using P2P programs. Malware and ransomware writers use P2P to spread their infections.

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.

Program Uninstalls

Please uninstall the following programs from your machine as they are adware/malware related. If one of the programs fails to uninstall, please move on to the next one in the list.

AnyProtect

Pando Media Networks

Rocket League

Step 2: Fix with FRST

Note: Before executing this step, please move FRST64.exe from C:\Users\Speed X8\Downloads to your Desktop or the fix will not work.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.

Right-click in the open notepad and select Paste).

Save it on the desktop as fixlist.txt

NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner

Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.

Please Uncheck the following options:

Reset Proxy Settings

Reset Winsock Settings

Please Check the following options:

Reset TCP/IP Settings

Reset Firewall Settings

Reset IPSec Settings

Reset BITS Queue

Reset Internet Explorer Policies

Reset Chrome Policies

Close any open windows or browsers.

Pause your Anti-Virus program if it is running.

Once it starts, click on the Scan button.

Let the scan complete itself. This may take a few minutes.

Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.

When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:

Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.

This report is also saved at C:\

Step 5: Fresh FRST Scan

Start Farbar's Recovery Scan Tool and press the Scan button.

FRST will scan your system and produce one log this time. Please post it in your next reply.

pystryker

Posted 21 August 2015 - 04:46 AM

pystryker

Trusted Helper

Malware Removal

3,894 posts

Hi,

Thanks for the fast response!

Hello, you're quite welcome.

I have a quick question: Are you running a proxy server on your machine, as I see one in the latest FRST log that you provided. Please let me know, and I'll prepare the next set of instructions. Also, how is the machine running at this time?

Alkalidum

Posted 21 August 2015 - 04:54 AM

Alkalidum

Member

Topic Starter

Member

64 posts

Hmm..I'm not very good with computers so not really sure what a proxy server is, however after i ran AdwCleaner and my PC rebooted i tried to load up chrome and i wasn't able to load up any pages, it said about disabling a proxy setting which i did then chrome worked fine.

The PC seems to be running slower than usual and something called Ninja Loader is showing up in my start menu.

pystryker

Posted 21 August 2015 - 05:11 AM

pystryker

Trusted Helper

Malware Removal

3,894 posts

Basically a proxy server Is a machine that your computer would go through before getting to the Internet. What it would do is all of your traffic that goes through the internet would go through it, and then to the internet anything coming back would go through it and then to your machine. If you have a Wi-Fi connection, or a direct connection to your router or modem, I will remove the proxy from the system. I didn't see it in your initial logs, and it looks like it is a known malware proxy.

I will have further instructions this evening, as I'm about to leave for work. we will also be removing the ninja loader that you are seeing as well. :-)

Alkalidum

Posted 21 August 2015 - 05:32 PM

Alkalidum

Member

Topic Starter

Member

64 posts

Hey,

Just got back from a night of drinking so will follow these steps in the morning, However after turning on my PC i got a popup about upgrading to Windows 10 and wasn't sure if it was legitimate or from the virus, Im currently using Windows 7. Thought i better let you know as ive never seen this popup before and looks genuine.

pystryker

Posted 21 August 2015 - 05:39 PM

pystryker

Trusted Helper

Malware Removal

3,894 posts

No problem, we do this on the schedule that works best for you. That window is probably legitimate, as Microsoft is trying to get people to upgrade. But I would hold off if you plan to upgrade until we get finished with the cleaning. :-)

0

Advertisements

Alkalidum

Posted 22 August 2015 - 02:28 AM

Alkalidum

Member

Topic Starter

Member

64 posts

Hey again

Just tried to do step 1 but i'm a bit confused, i launch spybot and there doesn't appear to be any menu with tools, im probably just being an idiot lol, i clicked 'startup tools' but couldn't see no resident or teatimer.

I also tried #2 in step one, i went to C:\Program Files\Spybot - Search & Destroy but nothing is there, however in C:\Program Files (x86) there is a folder called 'Spybot - Search & Destroy 2' but there is no TeaTimer.exe in that folder.

Edit: I think i know why my PC is running slower than usual too, just looked in task manager and my System Idle Process is running up my CPU like crazy

pystryker

Posted 22 August 2015 - 04:46 AM

pystryker

Trusted Helper

Malware Removal

3,894 posts

Hey again

Just tried to do step 1 but i'm a bit confused, i launch spybot and there doesn't appear to be any menu with tools, im probably just being an idiot lol, i clicked 'startup tools' but couldn't see no resident or teatimer.This is what i see:

I also tried #2 in step one, i went to C:\Program Files\Spybot - Search & Destroy but nothing is there, however in C:\Program Files (x86) there is a folder called 'Spybot - Search & Destroy 2' but there is no TeaTimer.exe in that folder.

Edit: I think i know why my PC is running slower than usual too, just looked in task manager and my System Idle Process is running up my CPU like crazy

No worries. Try these instructions below, and if they do not coincide with what you see, please continue on with the next steps in post #8.

Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode → hit Yes → select Tools in the navigation bar on the left → Resident and there you can untick the checkboxes in front of the two tools.

Alkalidum

Posted 22 August 2015 - 05:22 AM

Alkalidum

Member

Topic Starter

Member

64 posts

No worries. Try these instructions below, and if they do not coincide with what you see, please continue on with the next steps in post #8.

Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode → hit Yes → select Tools in the navigation bar on the left → Resident and there you can untick the checkboxes in front of the two tools.

pystryker

Posted 22 August 2015 - 06:24 AM

pystryker

Trusted Helper

Malware Removal

3,894 posts

Couldnt find these options either so i went onto step 2

Hello

No problem, evidently Spybot has changed their interface and I need to check on that. I see that the fix has done it's job and removed the proxy along with the other items as well. However, I do see one file that is being flagged and I can't find any information on it. So, let's upload it to VirusTotal and let them have a go at scanning it.